r62052 introduced crashes inside JSLazyEventListener::initializeFunction. The problematic line is: static_cast<JSNode*>(wrapper())->pushEventHandlerScope(exec, scope); In the crashing case, wrapper() is a JSGlobalObject, not a JSNode, so the cast is invalid.
Note that r62052 was part of bug 40484.
<rdar://problem/8141484>
Here's a backtrace in a crashing case: > WebKit.dll!WebCore::JSLazyEventListener::initializeJSFunction(WebCore::ScriptExecutionContext * executionContext=0x0451c6fc) Line 124 + 0x31 bytes C++ WebKit.dll!WebCore::JSEventListener::jsFunction(WebCore::ScriptExecutionContext * scriptExecutionContext=0x0451c6fc) Line 79 + 0x13 bytes C++ WebKit.dll!WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext * scriptExecutionContext=0x0451c6fc, WebCore::Event * event=0x045702d0) Line 69 + 0xc bytes C++ WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event=0x045702d0, WebCore::EventTargetData * d=0x044ce6b4, WTF::Vector<WebCore::RegisteredEventListener,1> & entry=[1]({listener=0x0454e620 {m_functionName={onload} m_eventParameterName={event} m_code={startTest()} ...} useCapture=false })) Line 329 + 0x35 bytes C++ WebKit.dll!WebCore::EventTarget::fireEventListeners(WebCore::Event * event=0x045702d0) Line 295 C++ WebKit.dll!WebCore::DOMWindow::dispatchEvent(WTF::PassRefPtr<WebCore::Event> prpEvent={...}, WTF::PassRefPtr<WebCore::EventTarget> prpTarget={...}) Line 1480 + 0x11 bytes C++ WebKit.dll!WebCore::DOMWindow::dispatchLoadEvent() Line 1436 C++ WebKit.dll!WebCore::Document::dispatchWindowLoadEvent() Line 3195 C++ WebKit.dll!WebCore::Document::implicitClose() Line 1907 C++ WebKit.dll!WebCore::FrameLoader::checkCallImplicitClose() Line 947 C++ WebKit.dll!WebCore::FrameLoader::checkCompleted() Line 896 C++ WebKit.dll!WebCore::FrameLoader::finishedParsing() Line 835 C++ WebKit.dll!WebCore::Document::finishedParsing() Line 4409 C++ WebKit.dll!WebCore::LegacyHTMLTreeBuilder::finished() Line 1642 + 0x1a bytes C++ WebKit.dll!WebCore::HTMLTreeBuilder::finished() Line 1043 C++ WebKit.dll!WebCore::HTMLDocumentParser::end() Line 267 C++ WebKit.dll!WebCore::HTMLDocumentParser::attemptToEnd() Line 279 C++ WebKit.dll!WebCore::HTMLDocumentParser::finish() Line 296 C++ WebKit.dll!WebCore::Document::finishParsing() Line 2054 + 0x20 bytes C++ WebKit.dll!WebCore::DocumentWriter::endIfNotLoadingMainResource() Line 222 C++ WebKit.dll!WebCore::DocumentWriter::end() Line 207 C++ WebKit.dll!WebCore::DocumentLoader::finishedLoading() Line 270 C++ WebKit.dll!WebCore::FrameLoader::finishedLoading() Line 2216 C++ WebKit.dll!WebCore::MainResourceLoader::didFinishLoading() Line 425 C++ WebKit.dll!WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle * __formal=0x044d8530) Line 443 + 0xf bytes C++ WebKit.dll!WebCore::didFinishLoading(_CFURLConnection * conn=0x04525c40, const void * clientInfo=0x044d8530) Line 240 + 0x1e bytes C++
*** This bug has been marked as a duplicate of bug 41357 ***